b'             ACQUISITION MANAGEMENT OF THE\n          JOINT PERSONNEL ADJUDICATION SYSTEM\n\n\nReport No. D-2001-112                   May 5, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Security of Defense (Command, Control,\n                         Communications, and Intelligence)\nJAMS                  Joint Adjudication Management System\nJCAVS                 Joint Clearance and Access Verification System\nJPAS                  Joint Personnel Adjudication System\n\x0c\x0c                      Office of the Inspector General, DoD\nReport No. D-2001-112                                                 May 5, 2001\n  (Project No. D2001AL-0012)\n\n Acquisition Management of the Joint Personnel Adjudication System\n\n                               Executive Summary\n\nIntroduction. This report discusses the acquisition management of the Joint Personnel\nAdjudication System by the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) and the Air Force Security and Communication\nManagement Directorate. This report is one of a series of audit reports addressing\npersonnel security clearance and access issues.\n\nThe Joint Personnel Adjudication System will provide DoD with a common information\nresource for granting and sharing personnel security eligibility determinations and\nrecording personnel access to sensitive and non-sensitive compartmented information.\nIts common database, linked by the Joint Adjudication Management System and the\nJoint Clearance and Access Verification System applications, will standardize security\nclearance adjudications and verifications in compliance with DoD Regulation 5200.2-R,\n\xe2\x80\x9cPersonnel Security Program Regulation,\xe2\x80\x9d January 1, 1987.\n\nDoD, Military Departments, and DoD Components funded the Joint Personnel\nAdjudication System information technology investment. Through the fourth quarter of\nFY1999, the Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) provided the Air Force with $8 million for Joint Personnel Adjudication\nSystem development and purchases of hardware and software. Since the start of\nFY 2000, the Military Departments and DoD Components financed the Joint Personnel\nAdjudication System by transferring Operations and Maintenance funds to the Air\nForce. For FY 2001 through FY 2007, the Air Force estimates that the Joint Personnel\nAdjudication System costs assessed to the Military Departments and DoD Components\nwill amount to $34 million.\n\nObjectives. The overall audit objective was to evaluate the acquisition management of\nthe Joint Personnel Adjudication System. Specifically, the audit determined whether\nthe system was being cost-effectively acquired, monitored, tested, and prepared for\ndeployment and system life-cycle support in accordance with DoD Directive 5000.1,\n\xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d March 15, 1996 (subsequently revised on October 23, 2000),\nand DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information\nSystems (AISs),\xe2\x80\x9d March 21, 1988. In addition, we evaluated the management control\nprogram related to the objective. See Appendix A for a discussion of the audit scope\nand methodology and the review of the management control program.\n\nResults. The Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) and the Air Force did not manage the Joint Personnel Adjudication System\nas an information technology investment. As a result, acquisition planning for the Joint\nPersonnel Adjudication System did not extend beyond the Future Years Defense Plan;\nfunding for the system acquisition did not comply with DoD Regulation 7000.14-R,\n\xe2\x80\x9cDepartment of Defense Financial Management Regulation,\xe2\x80\x9d June 2000, and acquisition\n\x0cmanagement oversight did not comply with the intent of the Clinger-Cohen Act of 1996.\nDuring the audit, the Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) and the Air Force agreed to work towards:\n  \xe2\x80\xa2 implementing a project plan for developing life-cycle acquisition strategy costs,\n  \xe2\x80\xa2 performing independent cost and economic analyses,\n  \xe2\x80\xa2 transferring program funding for development and deployment from the\n     Operations and Maintenance appropriation to the Research, Development, Test\n     and Evaluation appropriation, and\n  \xe2\x80\xa2 transferring program funding and accounting responsibilities from the Air Force.\n\nHowever, despite the system\xe2\x80\x99s significance in support of DoD missions, action had not\nbeen initiated to provide a prudent level of acquisition oversight. See the Finding\nsection for details on the audit results.\n\nSummary of Recommendations. We recommend that the Assistant Secretary of\nDefense (Command, Control, Communications, and Intelligence) designate the Joint\nPersonnel Adjudication System as a Major Information Technology Investment, subject\nto oversight of the DoD Chief Information Officer.\n\nManagement Comments. The Office of the Assistant Secretary of Defense\n(Command, Control, Communications, and Intelligence) concurred with the report\nfinding and recommendation. A discussion of management comments is in the Finding\nsection of the report, and the complete text of the management comments is in the\nManagement Comments section.\n\nAudit Response. The Office of the Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) actions with respect to the recommendation\nare responsive. With respect to moving Joint Personnel Adjudication System funding\nand accountability out of the Air Force, we request that management provide additional\ncomments by June 4, 2001 regarding when such action would be achievable.\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nExecutive Summary                                                          i\n\n\nIntroduction\n     Background                                                            1\n     Objective                                                             2\n\nFinding\n     Acquisition of the Joint Personnel Adjudication System Information\n       Technology Investment                                               4\n\nAppendixes\n     A. Audit Process\n          Scope                                                           10\n          Methodology                                                     11\n          Management Control Program Review                               11\n          Prior Coverage                                                  12\n     B. DoD Central Adjudication Facilities                               13\n     C. Acquisition Guidance                                              14\n     D. Report Distribution                                               16\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                  19\n\x0cBackground\n    This report is one in a series of audit reports addressing personnel security\n    clearance and access issues. Previous Inspector General, DoD, reports addressed\n    tracking security clearance requests, security clearances for personnel in mission-\n    critical and high risk positions, feasibility of consolidating adjudicative facilities,\n    the lack of access reciprocity within DoD special access programs, personnel\n    resources needed at the DoD adjudicative facilities, the program management and\n    acquisition of the Case Control Management System, and the accuracy, integrity,\n    timeliness, and availability of information in the Defense Clearance and\n    Investigation Index Database.\n\n    The Joint Personnel Adjudication System. The Joint Personnel Adjudication\n    System (JPAS) will provide DoD with a common information resource for granting\n    and sharing personnel security eligibility determinations and recording personnel\n    access to sensitive and non-sensitive compartmented information. Its common\n    database, linked by the Joint Adjudication Management System (JAMS) and the\n    Joint Clearance and Access Verification System (JCAVS) applications, will\n    standardize security clearance adjudications in compliance with DoD Regulation\n    5200.2-R, \xe2\x80\x9cPersonnel Security Program Regulation,\xe2\x80\x9d January 1, 1987, and will\n    provide security managers with eligibility verifications for personnel desiring access\n    to sensitive and classified facilities, weapons systems, and information. Also, JPAS\n    will provide reports for programming and managing workloads at the DoD central\n    adjudication facilities and locations requiring cleared personnel. See Appendix B\n    for a list of the DoD central adjudication facilities.\n\n    JAMS and JCAVS. The JAMS and JCAVS applications will not create new data\n    from stored database records. However, they will automatically modify information\n    stored in the JPAS common database. The JAMS and JCAVS applications extract\n    information from the JPAS database and format and display it as electronic reports\n    on adjudicators\xe2\x80\x99 and security managers\xe2\x80\x99 desktop monitors. Because the common\n    database contains records affecting personnel privacy, JPAS is defined by the\n    Privacy Act (5 U.S.C 552a) as a sensitive but unclassified system.\n\n    Processing. JPAS and its applications will not measurably expedite processing\n    clearance eligibilities and access to sensitive and classified assets. Determinations\n    affecting personnel trustworthiness require off-line decisions by adjudicators and\n    security managers. However, the deployed JAMS with its electronic reports will\n    relieve the central adjudication facilities from handling paper documents.\n    According to a JPAS contractor-developed economic analysis, paper handling\n    consumed more than 1 million hours over a 6-year period. In addition to\n    replacing paper documents with electronic reports, JPAS will allow JAMS users\n    to grant clearance eligibilities from determinations made by other adjudication\n    facilities. Adjudicators can obtain and review JAMS electronic reports supporting\n    prior eligibility determinations and accept decisions without initiating personnel\n    reinvestigations. In addition, JPAS minimizes work delays for newly hired and\n    visiting personnel with adjudicated clearances. Security managers connected to\n    JCAVS can grant or deny personnel access to sensitive and classified resources\n    from database information placed on electronic reports.\n\n\n\n                                          1\n\x0c           Hardware Configuration. JPAS is hosted on a web-based hardware, common\n           database configuration. The primary hardware configuration for the JPAS\n           common database resides at Bolling Air Force Base, Washington, D.C., with a\n           back-up configuration in Monterey, California. The system is sized for growth\n           in workload. It is designed to accommodate 450 JAMS and 30,000 JCAVS\n           users, assist in processing 750,000 adjudication cases annually, maintain\n           clearance designations for 5 million people, and provide statistical data and\n           capabilities to conduct personnel security studies.\n\n           Oversight and Management. The Assistant Secretary of Defense (Command,\n           Control, Communications, and Intelligence) [ASD(C3I)] functionally sponsors\n           JPAS, but has not designated JPAS as either an Acquisition Category IA1 or a\n           Major Information Technology Investment2 information system. The Assistant\n           Secretary assigned program management responsibilities to the Air Force for\n           acquisition and operations and maintenance. Contractors provide the Air Force\n           services for development, integration and deployment, information assurance,\n           and verification and validation.\n\n           Funding. DoD, the Military Departments, and DoD Components funded the\n           JPAS information technology investment. Through the fourth quarter of\n           FY 1999, ASD(C3I) provided the Air Force with $8 million for JPAS\n           development and purchases of hardware and software. Since the start of\n           FY 2000, the Military Departments and DoD Components financed the JPAS\n           investment with Operations and Maintenance funds transferred to the Air Force.\n           For FY 2001 through FY 2007, the Air Force estimates that JPAS costs assessed\n           to the Military Departments and DoD Components will amount to $34 million.\n\n           Testing and Deployment. The Air Force is testing and deploying JPAS. Until\n           the JAMS and JCAS applications demonstrate adequate system effectiveness and\n           reliability, legacy adjudication systems will operate in parallel with the deployed\n           JPAS. Initial Operational Capability is planned for October 2001.\n\n\n\n\n1\n    Programs are defined as Acquisition Category IA automated information systems if costs for any single year\n    exceed $32 million (FY 2000 constant dollars), total program costs exceed $126 million, total life-cycle\n    costs exceed $378 million, or if ASD(C3I) designates them as Acquisition Category IA systems.\n2\n    Programs are defined as Major Information Technology Investment if ASD(C3I) determines that a\n    program requires special Office of Secretary of Defense management attention because of its importance\n    to the DoD mission; its high development, operating, or maintenance costs; or its significant role in\n    administering DoD programs, finances, property, or other resources.\n\n\n\n                                                      2\n\x0cObjective\n    The overall audit objective was to evaluate the acquisition management of JPAS.\n    Specifically, the audit determined whether the system was being cost-effectively\n    acquired, monitored, tested, and prepared for deployment and system life-cycle\n    support in accordance with DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d\n    March 15, 1996 (subsequently revised on October 23, 2000), and DoD\n    Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information\n    Systems (AISs),\xe2\x80\x9d March 21, 1988. In addition, we evaluated the management\n    control program related to the objective. See Appendix A for a discussion of\n    the audit scope and methodology and the review of the management control\n    program.\n\n\n\n\n                                       3\n\x0c            Acquisition of the Joint Personnel\n            Adjudication System Information\n            Technology Investment\n            The ASD(C3I) and the Air Force did not manage the JPAS as an\n            information technology investment because the acquisition strategy was\n            not redefined to reflect the change made to the system\xe2\x80\x99s architecture. As\n            a result, acquisition planning for the JPAS technology investment did not\n            extend beyond the Future Years Defense Plan and funding for the system\n            acquisition was not in compliance with DoD Regulation 7000.14-R,\n            \xe2\x80\x9cDepartment of Defense Financial Management Regulation,\xe2\x80\x9d June 2000.\n            Also, acquisition management oversight was not provided because JPAS\n            was not designated for special management attention, despite its\n            criticality in support of DoD missions. During the audit, ASD(C3I) and\n            the Air Force agreed to work towards:\n            \xe2\x80\xa2 implementing a project plan for developing life-cycle acquisition\n                strategy costs,\n            \xe2\x80\xa2 performing independent cost and economic analyses,\n            \xe2\x80\xa2 transferring program funding for development and deployment from\n                the Operations and Maintenance appropriation to the Research,\n                Development, Test and Evaluation appropriation, and\n            \xe2\x80\xa2 transferring program funding and accounting responsibilities from the\n                Air Force.\n\nMandatory Guidance\n     The Office of Management and Budget and DoD provide managers with\n     guidance for acquiring information technology investments and safeguarding\n     information. Appendix C describes the guidance as it relates to the JPAS\n     acquisition.\n\nAlternatives\n     Decisionmakers had alternative information systems and hardware architectures\n     available for the JPAS business solution. More than one information system\n     was available for processing and verifying security eligibilities, and more than\n     one database architecture alternative was available for storing common\n     information.\n\n\n\n\n                                         4\n\x0cAir Force Sentinel Key\n           The JPAS Executive Steering Committee/Configuration Management Board3\n           adapted the Air Force Sentinel Key database system as a model for the JPAS\n           clearance eligibility and verification business solution. Data extracted from the\n           Sentinel Key database provided Air Force adjudicators with sufficient\n           information to comply with the procedures in DoD Regulation 5200.2-R for\n           granting or denying personnel security clearance eligibilities. In addition, Air\n           Force security managers used the Sentinel Key database to verify clearance\n           eligibilities of Air Force personnel to access secured facilities, weapons\n           systems, and classified information. Also, lessons learned from Sentinel Key\n           could be applied to JPAS for mitigating risks, organizing integrated product\n           teams for determining application report requirements, and preparing documents\n           for fund requests.\n\nArchitectures\n           Two database system alternatives were available for storing common\n           information, extracting data, formatting, and displaying information on electronic\n           reports. Although the distributed and centralized hardware architectures\n           differed, the differences between them would not be noticeable to the user.\n\n           Distributed Architecture. A distributed architecture connects users to a\n           network of internal and external databases. Sites determining security\n           eligibilities operate and maintain similar hardware. The hardware, when\n           combined with inserted software applications such as JAMS and JCAVS,\n           provides users with a standardized and interoperable information technology\n           system for processing security clearance eligibilities and verifications. Further,\n           each database location incurs system operations and maintenance costs for\n           processing security eligibilities and verifications.\n\n           Centralized Architecture. A centralized architecture links adjudication and\n           verification processing sites to a single database. To obtain system application\n           reports from their workstations, users access the single database through a web\n           browser and a non-secure Internet connection. That alternative eliminates the\n           network of databases and the need for installed software applications at\n           adjudication processing sites. In addition, system hardware and operations and\n           maintenance costs are confined to one location rather than spread among\n           numerous sites.\n\n\n\n\n3\n    The Director of Personnel Security, ASD(C3I), and the heads of the nine DoD Central Adjudication\n    Facilities comprise the JPAS Executive Steering Committee/Configuration Management Board.\n\n\n\n                                                     5\n\x0cArchitecture Change\n           Initially, JPAS was designed as a network of distributed databases. However, in\n           August 1999, the JPAS Executive Steering Committee/Configuration Management\n           Board decided to change the system architecture to a centralized database to:\n               \xe2\x80\xa2 reduce the risk of reoccurring stovepipe systems,\n               \xe2\x80\xa2 provide direct data standardization, synchronization, and configuration\n                    control,\n               \xe2\x80\xa2 eliminate the purchase of servers and additional hardware at adjudication\n                    processing sites,\n               \xe2\x80\xa2 facilitate the interface of legacy and migration systems, and\n               \xe2\x80\xa2 eliminate up to $17 million in duplicative software licensing and\n                    hardware costs over a 6-year period.\n\n           However, the acquisition strategy for JPAS was not redefined to reflect the\n           architecture change.\n\nAcquisition Strategy\n           The ASD(C3I) and the Air Force continued to manage the JPAS as a network of\n           databases populated with common information. As a result, life-cycle planning\n           did not extend beyond the Future Years Defense Plan, and funding for the\n           acquisition did not comply with the Under Secretary of Defense (Comptroller)\n           memorandum,4 \xe2\x80\x9cClarification of Policy\xe2\x80\x93Budget for Information Technology and\n           Automated Information Systems,\xe2\x80\x9d October 26, 1999. Also, the DoD Chief\n           Information Officer did not provide acquisition oversight in accordance with\n           Clinger-Cohen Act of 1996. 5 However, during the audit, the ASD(C3I) and the\n           Air Force agreed to extend life-cycle planning beyond the Future Years Defense\n           Plan and address program funding issues.\n\n           Life-Cycle Planning. Life-cycle planning for JPAS was incomplete. Life-cycle\n           cradle to grave cost estimates measure returns on investments and provide\n           baselines for evaluating performance and progress. Although the Air Force did\n           prepare JPAS life-cycle management plans and economic analyses, the documents\n           did not comply with Office of Management and Budget Circular A-130,\n           \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d November 30, 2000 guidance.\n           The documents did not extend beyond the system\xe2\x80\x99s deployment and initial years of\n           operation. The documents supported funding for the Future Years Defense Plan\n           rather than justified JPAS as a life-cycle information technology investment with\n           identifiable development, deployment, and operations and maintenance phases.\n\n4\n    The DoD Comptroller policy clarification was later incorporated into DoD Regulation 7000.14-R,\n    Volume 2A, \xe2\x80\x9cBudget Formulation and Presentation,\xe2\x80\x9d June 2000.\n5\n    Public Law 104-106, Division E, \xe2\x80\x9cNational Defense Authorization Act for Fiscal Year 1996,\n    (Information Technology Management Reform),\xe2\x80\x9d February 10, 1996.\n\n\n\n                                                     6\n\x0cFurther, performance and progress measurements could not be made because\nlife-cycle baselines did not exist. Absent baselines for cost, schedule, and\nperformance, actual versus planned variations could not be determined and\nindices for projecting results could not be computed.\n\nFunding. Funding for JPAS development costs did not comply with the\nOctober 1999 DoD Comptroller policy clarification for funding information\ntechnology investments. Prior to the October 1999 policy clarification,\nOperations and Maintenance and Procurement appropriations rather than\nResearch, Development, Test and Evaluation appropriations could be used to\nfund information technology systems when commercial-off-the-shelf software\nwas obtained or modified for existing systems. Because JPAS was defined as a\ncommercial off-the-shelf system, the ASD(C3I) and the Air Force financed\nJAMS and JCAVS software applications for JPAS with Operations and\nMaintenance appropriations and financed system hardware costs with\nProcurement appropriations. However, subsequent to the policy clarification,\nthe ASD(C3I) and the Air Force continued to fund JPAS with Operations and\nMaintenance and Procurement appropriations.\n\nFurther, program costs were charged to the Air Force when charges could not\nbe specifically identified to JPAS equipment procurements or contracted\ndevelopment and maintenance services. Costs for the JPAS program office\ndirect labor, overhead, and other support costs were charged to the Air Force\nCentral Adjudication Facility instead of JPAS.\n\nOversight. The DoD Chief Information Officer did not demonstrate oversight\ninvolvement in the acquisition of the JPAS. The Clinger-Cohen Act requires\nChief Information Officers to monitor and evaluate the performance of\ninformation technology programs and advise the heads of agencies whether to\ncontinue, modify, or terminate a program. JPAS supports the eligibility\nadjudication and verification business processes for granting security clearances\nto military, civilian, and contractor personnel. Accordingly, any processing\ndelay caused by JPAS could also delay DoD and contractor personnel from\nperforming assigned functions. As a result, JPAS requires Chief Information\nOfficer oversight because of its significance in supporting DoD missions.\n\nManagement Actions. In response to an Inspector General, DoD, status\nbriefing on the audit, the ASD(C3I) and the Air Force agreed to work towards:\n    \xe2\x80\xa2 implementing a project plan for developing life-cycle acquisition strategy\n        costs,\n    \xe2\x80\xa2 performing independent cost and economic analyses,\n    \xe2\x80\xa2 transferring program funding for development and deployment from the\n        Operations and Maintenance appropriation to the Research,\n        Development, Test and Evaluation appropriation, and\n    \xe2\x80\xa2 transferring program funding and accounting responsibilities from the\n        Air Force.\n\n\n\n\n                                    7\n\x0cInformation Security and Integrity\n     The ASD(C3I) and the Air Force were completing information security\n     requirements for certifying and accrediting JPAS. Further, information migrating\n     to the centralized database was being reviewed for completeness and accuracy.\n\n     Information Security. Information security was being evaluated during JPAS\n     beta testing. Without an off-line test bed capability for evaluating system\n     operational suitability, adjudication facilities and security managers were\n     processing actual cases to determine JPAS effectiveness, reliability,\n     maintainability, and information security. Testing began in January 2001 after\n     the Air Force Designated Approval Authority for information security granted\n     the JPAS program office an Interim Approval To Operate. Almost 50 percent\n     of the tests had been completed.\n\n     Information Integrity. The ASD(C3I) and the Air Force were actively\n     engaged in resolving JPAS data discrepancies to ensure system accuracy and\n     reliability. System efficiency and effectiveness depend on the quality of\n     information stored in the JPAS central database. Legacy databases maintained\n     by the Component adjudication facilities were being compared with information\n     stored at the Defense Manpower Data Center and the Defense Civilian\n     Personnel Data Center to identify discrepancies. When discrepancies were\n     identified, research was initiated to resolve the conflicts. However, the inability\n     to extract and obtain quality data from the legacy systems has delayed progress\n     in populating the JPAS central database. As a result, Initial Operational\n     Capability could be extended beyond October 2001.\n\nConclusion\n     The ASD(C3I) and the Air Force did not manage the JPAS as an information\n     technology investment when the system acquisition strategy changed from a\n     network of distributed database systems to a centralized database system. As a\n     result, acquisition planning for the JPAS technology investment did not extend\n     beyond the Future Years Defense Plan, and funding for the system acquisition\n     did not comply with DoD Regulation 7000.14-R. Also, despite the system\xe2\x80\x99s\n     criticality in support of DoD missions, acquisition management oversight was\n     not provided in accordance with the Clinger-Cohen Act.\n\n     Although acquisition management of JPAS did not comply with Office of\n     Management and Budget and DoD guidance, the ASD(C3I) and the Air Force\n     had applied lessons learned from the acquisition of the Air Force Sentinel Key\n     database system, organized integrated product teams for determining system\n     requirements, and prepared documents for funding requests. Also, system tests\n     were performed to determine the effectiveness and reliability of the system\xe2\x80\x99s\n     information security. Further, information migrating from legacy databases was\n     analyzed for integrity. However, due to the inability to extract and obtain\n     quality data from the legacy systems, delays occurred in populating the JPAS\n     central database.\n\n\n                                          8\n\x0c    During the audit, the ASD(C3I) and the Air Force agreed to work towards\n    extending life-cycle planning beyond the Future Years Defense Plan and\n    addressing program funding issues. However, despite the system\xe2\x80\x99s significance in\n    support of DoD missions, action had not been initiated to provide a prudent level\n    of acquisition oversight.\n\nRecommendation and Management Comments\n    We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) designate the Joint Personnel\n    Adjudication System as a Major Information Technology Investment,\n    subject to oversight of the DoD Chief Information Officer.\n\n    Management Comments. The Director of the Security Directorate, Assistant\n    Secretary of Defense (Command, Control, Communications, and Intelligence),\n    concurred and stated that the DoD Chief Information Officer will be the Joint\n    Personnel Adjudication System milestone decision authority and will provide\n    oversight of the program. The DoD Chief Information Officer will monitor the\n    System\xe2\x80\x99s progress using the quarterly Defense Acquisition Executive Summary\n    reports starting with the fourth quarter of FY 2001.\n\n    Management also stated that while it initially had no opposition to moving Joint\n    Personnel Adjudication System funding and accounting responsibilities out of\n    the Air Force, it may not be desirable or achievable in the near future without\n    adversely impacting progress on the Joint Personnel Adjudication System.\n\n    Audit Response. Management actions with respect to the recommendation are\n    responsive. With respect to moving Joint Personnel Adjudication System\n    funding and accountability out of the Air Force, we request additional comments\n    as to when such action would be achievable.\n\n\n\n\n                                        9\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We conducted this program audit from October 2000\n    through February 2001 and reviewed documentation dated from May 1995\n    through February 2001. To accomplish the audit objective we:\n           \xe2\x80\xa2 Interviewed officials and obtained documentation from the offices of\n              the ASD(C3I), the Air Force Program Management Office, the Air\n              Force Pentagon Communications Agency, cognizant officials and\n              personnel involved in the acquisition of the JPAS information\n              technology investment, and contractor personnel.\n           \xe2\x80\xa2 Reviewed available documents related to program requirements,\n              program definition, program assessments and decision reviews,\n              periodic reporting, program management and oversight, and\n              information system security.\n           \xe2\x80\xa2 Evaluated the adequacy of management controls related to the\n              acquisition of the JPAS information technology investment.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following goal, subordinate performance goal, and\n    performance measure:\n\n    FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain future\n    by pursuing a focused modernization effort that maintains U.S. qualitative\n    superiority in key warfighting capabilities. Transform the force by exploiting\n    the Revolution in Military Affairs, and reengineer the Department to achieve a\n    21st century infrastructure. (01-DoD-2)\n\n    FY 2001 Subordinate Performance Goal 2.5: Improve DoD financial and\n    information management. (01-DoD-2.5)\n    Performance Measure 2.5.3: Qualitative Assessment of Reforming\n    Information Technology Management. (01-DoD-2.5.3)\n\n\n\n\n                                       10\n\x0c    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n    Information Technology Management Functional Area.\n          \xe2\x80\xa2 Objective. Become a mission partner.\n              Goal. Serve mission information users as customers. (ITM 1.2)\n\n           \xe2\x80\xa2   Objective. Provide services that satisfy customer information needs.\n               Goal. Build architecture and performance infrastructures. (ITM 2.1)\n               Goal. Improve information technology management tools. (ITM-2.4)\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Security and DoD Systems Modernization high-risk areas.\n\nMethodology\n    We conducted this program audit in accordance with auditing standards issued\n    by the Comptroller of the United States, as implemented by the Inspector\n    General, DoD. Accordingly, we included tests of management controls\n    considered necessary. We did not use computer-processed information to\n    perform this audit.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within and outside DoD. Further details are available upon\n    request.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d\n    August 26, 1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC)\n    Program Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to\n    implement a comprehensive system of management controls that provides\n    reasonable assurance that programs are operating as intended and to evaluate the\n    adequacy of the controls.\n\n\n\n\n                                       11\n\x0c    Scope of the Review of the Management Control Program. In accordance\n    with DoD Directive 5000.1, DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense\n    Acquisition System,\xe2\x80\x9d October 23, 2000, and DoD Regulation 5000.2-R,\n    \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs (MDAPs) and\n    Major Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d\n    March 15, 1996 (subsequently revised on January 4, 2001), acquisition\n    managers are to apply program cost, schedule, and performance parameters to\n    control objectives for implementing DoD Directive 5010.38 requirements.\n    Accordingly, we limited our review to management controls directly related to\n    the acquisition management and information security of the JPAS. We also\n    reviewed management\xe2\x80\x99s self-evaluation of management controls applicable to\n    the acquisition of JPAS information technology.\n\n    Adequacy of the Management Controls. Management controls were\n    inadequate for the acquisition of the JPAS. Life-cycle plans were not\n    developed, nor were program baselines determined for the information\n    technology investment. As a result, an internal management control system for\n    monitoring program performance and progress could not be implemented. Cost,\n    schedule, and performance deviations could not be identified and measurement\n    indices could not be computed for projecting results. To correct its management\n    control deficiencies, the Air Force agreed to develop life-cycle costs and\n    perform independent cost and economic analyses. Oversight of the JPAS\n    acquisition, however, remains insufficient. Implementation of our\n    recommendation for increased oversight by the DoD Chief Information Officer\n    should correct this weakness. A copy of the report will be sent to the senior\n    official in charge of management controls for the ASD(C3I).\n\n    Adequacy of Management\xe2\x80\x99s Self-Evaluation. Neither the ASD(C3I) nor the\n    Air Force identified JPAS as an assessable unit.\n\nPrior Coverage\n    During the last 5 years, no reports addressing the JPAS information technology\n    investment have been issued.\n\n\n\n\n                                      12\n\x0cAppendix B. DoD Central Adjudication Facilities\n   The JPAS central database will support the following nine DoD central\n   adjudication facilities:\n\n          \xe2\x80\xa2   Department of the Army Central Clearance Facility,\n                 Fort Meade, Maryland\n\n          \xe2\x80\xa2   Department of the Navy Central Adjudication Facility,\n                 Washington Navy Yard, Washington, District of Columbia\n\n          \xe2\x80\xa2   Department of the Air Force Central Adjudication Facility,\n                 Bolling Air Force Base, Washington, District of Columbia\n\n          \xe2\x80\xa2   Washington Headquarters Service Central Adjudication Facility,\n                Arlington, Virginia\n\n          \xe2\x80\xa2   Defense Intelligence Agency Central Adjudication Division,\n                 Arlington, Virginia\n\n          \xe2\x80\xa2   Joint Chiefs of Staff-Security/Central Adjudication Branch,\n                  Pentagon, Washington, District of Columbia\n\n          \xe2\x80\xa2   National Security Agency Central Adjudication Division,\n                 Fort Meade, Maryland\n\n          \xe2\x80\xa2   Defense Security Service-Defense Industrial Security Clearance\n                 Office Central Adjudication Division,\n                 Columbus, Ohio\n\n          \xe2\x80\xa2   Defense Office of Hearings and Appeals,\n                 Arlington, Virginia, and Columbus, Ohio\n\n\n\n\n                                      13\n\x0cAppendix C. Acquisition Guidance\n    The Office of Management and Budget and DoD provide managers with\n    guidance for acquiring information technology investments and safeguarding\n    information assets.\n\nOffice of Management and Budget\n    Office of Management and Budget Circular A-130, \xe2\x80\x9cManagement of Federal\n    Information Resources,\xe2\x80\x9d November 30, 2000, implements numerous public laws\n    and other Office of Management and Budget guidance that address acquisition of\n    information technology investments and security of personal information. In\n    accordance with the Cohen-Clinger Act of 1996, the Circular requires that:\n\n       \xe2\x80\xa2   Cost benefit analyses be prepared for each system throughout its life cycle.\n\n       \xe2\x80\xa2   Performance measures be implemented to provide timely information\n           regarding the progress of an information technology program in terms of\n           cost and capability to meet specified requirements, timeliness, and\n           quality.\n\n       \xe2\x80\xa2   Major information systems proceed in a timely fashion toward agreed-\n           upon milestones in an information system life cycle.\n\n       \xe2\x80\xa2   Chief information officers monitor and evaluate the performance of\n           information technology investments through the capital planning\n           investment control process, and advise the agency head on whether to\n           continue, modify, or terminate a program or project.\n\n    Further, when an individual\xe2\x80\x99s right to privacy must be protected, the Circular\n    requires management controls for safeguarding information assets. Those controls\n    include:\n\n       \xe2\x80\xa2   the assignment of a person who is responsible for ensuring adequate\n           system security,\n\n       \xe2\x80\xa2   the development of security plans for all systems containing sensitive\n           information,\n\n       \xe2\x80\xa2   periodic security reviews to determine the effectiveness of controls, and\n\n       \xe2\x80\xa2   a security control assessment by a management official before a system\n           processes information.\n\n\n\n\n                                       14\n\x0cDoD Guidance\n    DoD Directive 5000.1. DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d\n    March 15, 1996 (subsequently revised on October 23, 2000), establishes a\n    disciplined life-cycle management approach for acquiring quality products. The\n    Directive requires rigorous internal management control systems for identifying\n    deviations from approved program baselines.\n\n    DoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for\n    Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988, provides mandatory\n    guidance for safeguarding classified information and information that might\n    affect the privacy of DoD personnel. It implements security safeguard\n    provisions of Office of Management and Budget Circular A-130, and is a\n    reference source for DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n    Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d June 1, 1998,\n    and Air Force Systems Security Instruction 5024, Volume 1, \xe2\x80\x9cThe Certification\n    and Accreditation (C&A) Process,\xe2\x80\x9d September 1, 1997.\n\n    DoD Instruction 5000.2. DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense\n    Acquisition System,\xe2\x80\x9d Change 1, January 4, 2001, establishes a general approach\n    for managing system acquisitions with best life-cycle solutions for satisfying\n    user requirements. The Instruction requires chief information officers to\n    confirm that mission-critical and essential information systems are developed in\n    accordance with the Clinger-Cohen Act of 1996 before approvals are granted for\n    milestone advancements.\n\n    DoD Regulation 5000.2-R. Interim DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory\n    Procedures for Major Defense Acquisition Programs (MDAPs) and Major\n    Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d January 4, 2001,\n    establishes life-cycle procedures for managing major acquisition programs and a\n    model for other system acquisitions.\n\n\n\n\n                                       15\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Chief, Defense Security Service-Defense Industrial Security Clearance Office\n      Central Adjudication Division\nDirector, Administration and Management\n\nDepartment of the Army\nCommander, Department of the Army Central Clearance Facility\nAuditor General, Department of the Army\n\nDepartment of the Navy\nDirector, Department of the Navy Central Adjudication Facility\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nDirector, Office of the Administrative Assistant, Secretary of the Air Force\nDirector, Department of the Air Force Central Adjudication Facility\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Intelligence Agency Central Adjudication Division\nInspector General, Defense Intelligence Agency\nDirector, Defense Logistics Agency\nDirector, Defense Office of Hearings and Appeals\nDirector, National Security Agency\n   Chief, National Security Agency Central Adjudication Division\n   Inspector General, National Security Agency\nChief, Joint Chiefs of Staff-Security/Central Adjudication Branch\nChief, Washington Headquarters Service Central Adjudication Facility\n\n\n                                         16\n\x0cNon-Defense Federal Organizations\nOffice of Management and Budget\nOffice of Information and Regulatory Affairs\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         17\n\x0cAssistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) Comments\n\n\n\n\n                      19\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report, are listed below.\n\nMary L. Ugone\nCharles M. Santoni\nDavid M. Wyte\nDonald Stockton\nSteve J. Bressi\nRobert R. Johnson\nWalter Bohinski\nKrista S. Gordon\n\x0c'